XP Security Tool 2010, XP Defender Pro, Vista
Security Tool 2010, and Vista Defender Pro are all new rogues that
are exactly the same program. They are just shown with different names and interfaces
depending on the version of Windows that it is run on. This guide run under
quite a few different names, which I have listed below based upon the version
of Windows:
| Windows XP Rogue Name |
Windows Vista Rogue Name |
Windows 7 Rogue Name |
| AntiSpyware XP |
AntiSpyware Vista |
AntiSpyware Win 7 |
| AntiSpyware XP 2010 |
AntiSpyware Vista 2010 |
AntiSpyware Win 7 2010 |
| Antivirus XP |
Antivirus Vista |
Antivirus Win 7 |
| Antivirus XP 2010 |
Antivirus Vista 2010 |
Antivirus Win 7 2010 |
| Total XP Security |
Total Vista Security |
Total Win 7 Security |
| XP AntiSpyware 2010 |
Vista Guardian |
Win 7 Antispyware 2010 |
| XP Antivirus Pro |
Vista Security Tool |
Win 7 Antivirus Pro |
| XP Guardian |
Vista Security Tool 2010 |
Win 7 Guardian |
| XP Security Tool |
Vista Smart Security |
Win 7 Security Tool |
| XP Security Tool 2010 |
Vista Smart Security 2010 |
Win 7 Security Tool 2010 |
| XP Smart Security |
Vista AntiMalware |
Win 7 Smart Security |
| XP Smart Security 2010 |
Vista AntiMalware 2010 |
Win 7 Smart Security 2010 |
| XP AntiMalware |
Vista AntiSpyware |
Win 7 AntiMalware |
| XP AntiMalware 2010 |
Vista AntiSpyware 2010 |
Win 7 AntiMalware 2010 |
| XP Antivirus Pro |
Vista Antivirus Pro |
Win 7 Antivirus Pro |
| XP Defender |
Vista Defender |
Win 7 Defender |
| XP Defender Pro |
Vista Defender Pro |
Win 7 Defender Pro |
| XP Security |
Vista Security |
Win 7 Security |
| XP Security 2010 |
Vista Security 2010 |
Win 7 Security 2010 |
| XP Internet Security |
Vista Internet Security |
Win 7 Internet Security |
| XP Internet Security 2010 |
Vista Internet Security 2010 |
Win 7 Internet Security 2010 |
When installed, this rogue pretends to be an update for Windows installed via
Automatic Updates. It will then install itself as a single executable called
AV.exe that uses very aggressive techniques to make it so that you cannot remove
it. First, it makes it so that if you launch any executable it instead launches
XP Security Tool 2010, XP Defender Pro, or Vista Defender Pro. If the original
program that you wanted to launch is deemed safe by the rogue, it will then
launch it as well. This allows the rogue to determine what executables it wants
to allow you to run in order to protect itself. It will also modify certain
keys so that when you launch FireFox or Internet Explorer it will launch the
rogue instead and display a fake firewall warning. Last, but not least, when
try to browse to a web site, it will hijack your browser and state that the
site is a security risk and not allow you to visit it.
Vista Antispyware 2010
For more screen shots of this infection click on the image above.
There are a total of 14 images you can view.
Once started, the rogue itself, like all other rogues, will scan your computer
and state that there are numerous infections on it. If you attempt to use the
program to remove any of these infections, though, it will state that you need
to purchase the program first. In reality, though, the infections that the rogues
states are on your computer are all legitimate files that if deleted could cause
Windows to not operate correctly. Therefore, please do not trust anything it
states are infections.
While running, XP Security Tool 2010, XP Defender Pro, Vista Security Tool
2010, and Vista Defender Pro will also display fake security alerts on the infected
computer. The text of some of these alerts are:
Tracking software found!
Your PC activity is being monitored. Possible spyware infection. Your data
security may be compromised. Sensitive data can be stolen. Prevent damage
now by completing security scan.
XP Internet Security 2010 Firewall Alert!
XP Internet Security 2010 has blocked a program from accessing the
Internet
Internet Explorer is infected with Trojan-BNK.Win32-Keylogger.gen
Private data can be stolen by third parties, including credit card details
and passwords.
Just like the scan results, these fake security warnings and alerts are all
fake and should be ignored.
Without a doubt, this rogue is designed to scam you out of your money by hijacking
your computer and trying to trick you into thinking you are infected. Therefore,
please do not purchase this program , and if you have, please contact your credit
card company and dispute the charges. Finally, to remove XP Security Tool 2010,
XP Defender Pro, Vista Security Tool 2010, and Vista Defender Pro please use
the guide below, which only contains programs that are free to use.
Threat Classification:
Advanced information:
View XP Security Tool 2010, XP Defender Pro, Vista Security Tool 2010, and Vista Defender Pro files.
View XP Security Tool 2010, XP Defender Pro, Vista Security Tool 2010, and Vista Defender Pro Registry Information.
Tools Needed for this fix:
Article Updates:
01/27/10 - Initial guide creation.
01/27/10 - Updated for new rogue names.
01/28/10 - Updated for new rogue names.
02/03/10 - Updated for new rogue names.
03/17/10 - Updated for new version of rogue and new names.
03/22/10 - Updated removal instructions
Automated Removal Instructions for XP Security Tool 2010, XP Defender Pro, Vista Security Tool 2010, and Vista Defender Pro using Malwarebytes Anti-Malware:
- For the first part of this removal guide you will need to use a different
computer than the infected one. This is also a tricky rogue to remove, so
please follow the instructions carefully. If you are concerned about whether
or not you can do this, do not be, as I have made these instructions easy
to follow for people of any computer expertise.
- From another computer, please download Malwarebytes Anti-Malware, or MBAM,
and the reg files from the following locations and save it to an external
media such as an external hard drive or a USB flash drive. We will then use
the external drive or flash drive to to transfer these files to your infected
computer. If you do not own a USB flash drive, you can get one from any local
or online computer store for a small price. Some examples of good and cheap
ones can be found at Newegg
and Best
Buy. The files that you should download onto this device are:
Malwarebytes Anti-Malware Download Link
(Download page will open in a new window) - Everyone should download this
FixExe.reg
- Everyone should download this
- Once you have downloaded all the necessary files to a removable device,
you need to plug it into your infected computer so it can access them.
- On the infected computer make sure XP Internet Security 2010, Antivirus
Vista 2010, or Win 7 Antispyware 2010 is running. If it is not, you can launch
it by running any program on your computer as that will trigger the rogue
program to run. Once running, do not close it during the
entire length of this guide.
- Now open the drive that corresponds to the removable media that you copied
the programs from step 2 onto. Once open, double-click on the FixExe.reg
file. When Windows prompts whether or not you want to allow the data to be
added to your computer, click on the Yes button.
- Now you should be able to run the mbam-setup.exe file
that you saved on your removable media in step 2. Double-click on this file
to install MalwareBytes' on to your computer. When the installation begins,
keep following the prompts in order to continue with the installation process.
Do not make any changes to default settings and when the program has finished
installing, make sure you leave both the Update Malwarebytes Anti-Malware
and Launch Malwarebytes Anti-Malware checked.
Then click on the Finish button. If you already have MalwareBytes'
installed, simply launch it now and continue to step 8.
- MBAM will now start and you will be at the main screen as shown below.
Please click on the Scan Now button to start the scan. If there is an update available for Malwarebytes it will automatically download and install it before performing the scan.
- MBAM will now start scanning your computer for malware. This process can
take quite a while, so we suggest you do something else and periodically
check on the status of the scan to see when it is finished.
- When MBAM is finished scanning it will display a screen that displays any malware that it has detected. Please note that the infections found may be different
than what is shown in the image below due to the guide being updated for newer versions of MBAM.
You should now click on the Remove Selected button to remove
all the seleted malware. MBAM will now delete all of the files and registry
keys and add them to the programs quarantine. When removing the files, MBAM
may require a reboot in order to remove some of them. If it displays a message
stating that it needs to reboot, please allow it to do so. Once your computer
has rebooted, and you are logged in, please continue with the rest of the
steps.
- You can now exit the MBAM program.
- As many rogues and other malware are installed through vulnerabilities found
in out-dated and insecure programs, it is strongly suggested that you use
Secunia PSI to scan for vulnerable programs on your computer. A tutorial on
how to use Secunia PSI to scan for vulnerable programs can be found here:
How to
detect vulnerable and out-dated programs using Secunia Personal Software Inspector
Your computer should now be free of the
XP Security Tool 2010, XP Defender Pro, Vista Security Tool 2010, and Vista Defender Pro
programs. If your current anti-virus solution let this infection through,
you may want to consider purchasing the
PRO version of Malwarebytes Anti-Malware to protect against these types
of threats in the future.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
View Associated XP Security Tool 2010, XP Defender Pro, Vista Security Tool 2010, and Vista Defender Pro Files
<b>Windows XP:</b>
c:\Documents and Settings\All Users\Application Data\QJyrk5wvCU1
%UserProfile%\Local Settings\Application Data\av.exe
%UserProfile%\Local Settings\Application Data\ave.exe
%UserProfile%\Local Settings\Application Data\QJyrk5wvCU1
%UserProfile%\Local Settings\Application Data\WRblt8464P
%UserProfile%\Local Settings\Temp\QJyrk5wvCU1
%UserProfile%\Templates\QJyrk5wvCU1
<b>Windows Vista and Windows 7:</b>
C:\ProgramData\QJyrk5wvCU1
C:\Users\All Users\QJyrk5wvCU1
%UserProfile%\AppData\Local\av.exe
%UserProfile%\AppData\Local\ave.exe
%UserProfile%\AppData\Local\QJyrk5wvCU1
%UserProfile%\AppData\Local\WRblt8464P
%UserProfile%\AppData\Local\Temp\QJyrk5wvCU1
%UserProfile%\AppData\Roaming\Microsoft\Windows\Templates\QJyrk5wvCU1
File Location Notes:
%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> for Windows 2000/XP, C:\Users\<Current User> for Windows Vista/7/8, and c:\winnt\profiles\<Current User> for Windows NT.
View Associated XP Security Tool 2010, XP Defender Pro, Vista Security Tool 2010, and Vista Defender Pro Windows Registry Information
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
This is a self-help guide. Use at your own risk.
BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum.
If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.
